If you're wondering what can go wrong with putting your data in the cloud, the example of the Mexican National Electoral Institute (INE) may be instructive.
INE maintains a database of 93 million voters in Mexico with all the personal information that qualifies them for a government ID and to vote. It makes copies available -- to whom and under what circumstances is not clear -- and one of them was stored by its owner in MongoDB on the Amazon EC2 cloud. The owner has not been identified.
Chris Vickery, a security researcher who works for a Macintosh software company, MacKeeper, discovered the database and found he needed no credentials to get into it and examine the data. No authentication procedures had been placed on it to restrict access to its owners, nor had the data been encrypted.
Vickery notified ArsTechnica of the existence of the database on April 14, according to an April 25 article that appeared on the site's UK edition.
Several days later, Vickery told a Harvard University audience about his experience during a speaking engagement. Vickery, along with a Mexican citizen and a journalist in attendance, attempted to notify Mexican authorities of the exposure. Vickery took the Mexican citizen to the database after his talk and looked up the name of his father. The address displayed corresponded to his family's, as did other personal information, according to The Register's report in the UK.
Vickery initially had only been able to guess that he was looking at a database of Mexican voter information.
Amazon was notified of the exposure April 21, and the company notified the MongoDB system owner that knowledge of its unprotected database had been made public. It was taken down by April 22.
Although it's being described as a massive database leak or breach in some quarters, there's no direct evidence that anyone stole information from the system or downloaded it for their own purposes. It couldn't be accessed as a URL over the Internet.
Vickery activated a MongoDB client and went to its IP address, which he found using the Shodun search engine. Shodun can be used to locate Internet-attached devices and identify IP addresses. Vickery used the default port invoked by MongoDB -- port 27017 -- in the Shodun search engine to come up with the IP address, then used it in the MongoDB client.
"There really was nothing special about the search terms. It was just a stroke of luck that I saw it and followed up," Vickery told ArsTechnica.
Notified of the existence of the system, The INE issued a statement in Spanish that the BBC translated as saying the institute "watermarks" copies of the data sets it issues so they can be traced to their owners. It threatened to pursue the owner for breaking the law if the data prove to have been used improperly, according to the translation.
Amazon Web Services issued a brief statement on the incident saying that it had notified the owner of the system as soon as it received word about its discovery, and that it was removed soon afterward. Amazon regularly advises customers that it will take responsibility for the security of the cloud infrastructure, but they must take responsibility for the applications they run on it.
"The promise of the cloud is to deliver rapid value, and bring increased levels of efficiency and agility. However, as evidenced by this incident, this has to be balanced with clear support for monitoring and governance by companies that consume the cloud," said Rohit Gupta, CEO and cofounder of Palerra, a cloud security firm.
He said, in an email message, that proper configuration of MongoDB systems in the cloud would have kept out prying eyes, and that encryption of the data would have prevented any identity theft if someone still got in. He urged the monitoring of something like a large MongoDB data system in the cloud, with an audit trail of any system administrator activity.
"Security monitoring and governance does for the cloud what air traffic control does for airplanes; it prevents catastrophic outcomes," he said.